Before the 

Federal Communications Commission 
Washington, DC 


Unauthorized Disclosure and Sale of ^ 

Customer Location Information by ^ _-_ 

Wireless Carriers 

Informal Complaint Against 

AT&T Corporation 
T-Mobile U.S. 

Sprint Corporation 
Verizon Wireless 

for Unauthorized Disclosure and Sale of Customer Location Information 


by 


Georgetown Law Center on Privacy & Technology (CPT) 
New America’s Open Technology Institute (OTI) 
Free Press 


via ECFS, e-mail, and hand delivery 
June 14, 2019 

Open Technology Institute 

New America Foundation 
740 15th Street, NW—9th Floor 
Washington, DC 20005 

Eric Null, Senior Policy Counsel 
nuU@opentechinstitute.org 202.596-3493 

Free Press 

1025 Connecticut Avenue, NW, Suite 1110 
Washington, DC 20036 

Gaurav Laroia, Policy Counsel 
glaroia@,freepres s .net 202.265.1490 


Center on Privacy & Technology at 
Georgetown Law 

600 New Jersey Avenue NW 
Washington DC 20001 

Laura Moy, Executive Director 

laura.moy@law.georgetown.edu 

202.662.9547 

Samuelson-Glushko Technology Law & Policy 
Clinic (TLPC) at Colorado Law 
Robert and Laura HiU CUnical Suite 
404 UCB, Boulder, CO 80309-0404 

Counsel to Center on Privay <& Technology 

Blake E. Reid, Director* 
blake.reid@colorado.edu 303.492.0548 


Nathan Bartell and Zachary DeFelice, Student Attorneys, provided substantial assistance. 



Summary 

Location information associated with wireless customers’ ceU phones is highly sensitive. 
Cell phones go nearly everywhere their owners go. In the words of the Supreme Court, they 
are “now such a pervasive and insistent part of daily life that the proverbial visitor from Mars 
might conclude they were an important feature of human anatomy.”’ According to at least 
one widely cited national privacy survey, Americans consider location to be more sensitive 
than almost any other category of information apart from Social Security numbers.^ 

Nevertheless, customers who wish to receive wireless service have no choice but to share 
this information with their provider, because the very nature of wireless service is that it 
strives to connect customers no matter where they go. Accordingly, the Communications Act 
requires telecommunications providers—including wireless service providers—to observe 
heightened privacy obligations for location information. 

But wireless service providers AT&T, Verizon, T-Mobile, and Sprint (“Carriers”) have 
broadly violated those obligations and their customers’ privacy expectations. The Carriers 
have disclosed customer location information to location aggregators, other location-based 
services companies, and unauthorized individuals without customer approval. That location 
information has in some circumstances found its way into the hands of bounty hunters and 
stalkers. In most cases. Carriers have not attempted to notify their customers of this 
information sharing, let alone to obtain consent. 

These actions violate Sections 222 and 201 (b) of the Communications Act. Carriers have 
failed their responsibilities under Section 222(c) to obtain customers’ affirmative prior consent 
before using or sharing customer proprietary network information for purposes other than to 
provide service. Carriers have also failed their responsibilities under Section 222(a) to protect 
the confidentiality of customers’ proprietary information. Finally, Carriers have violated 
Section 201(b)’s prohibition against unjust and unreasonable practices by failing to employ 
even the most basic consent mechanisms, creating an unreasonable risk of unauthorized 
access, and violating their own privacy policies. 

The Carriers’ actions have threatened public safety, contrary to Congress’ directive that 
the Commission ensure communications networks promote safety of life and property. The 
Carriers’ improper disclosure of location information enabled stalkers, people posing as police 
officers, debt collectors, and others to take advantage and find unwitting individuals. 
Furthermore, it is likely that abuses of location data have disproportionately impacted 
disadvantaged and marginalized communities. 

We urge the Commission to investigate these practices and enforce against the Carriers 
Sections 201(b) and 222 of the Communications Act, and the Commission’s rules 
implementing those statutes. 


’ Riley V. California, 134 S. Ct. 2473, 2484 (2014). 
^ See infra note 54 and accompanying text. 


1 



Table of Contents 

Summary.i 

Discussion.1 

I. The Carriers have disclosed customer location information to unauthorized third parties 

without customer consent.1 

A. Wireless providers must collect location information from wireless devices to 

provide service.1 

B. The Carriers disclosed vast amounts of location information to third-party location 

aggregators without customer consent or a lawful order.2 

C. The Carriers disclosed location information directly to unauthorized individuals 

without customer consent or a lawful order.5 

D. The Carriers reportedly disclosed CSLI as well as other, more highly precise location 

information.6 

II. The Carriers’ reported disclosure of customers’ location information violates Sections 222 

and 201(b) of the Communications Act and the Commission’s implementing mles.7 

A. Wireless customers’ location information constitutes CPNI under Section 222 and 

the Commission’s mles, and the Carriers therefore may not disclose it without 
obtaining customers’ affirmative prior consent.7 

B. Wireless customers’ location data also constitutes customer proprietary information 

under Section 222(a), and the Carriers therefore must protect its confidentiality.9 

C. The Carriers’ unauthorized disclosure of customers’ location data violates Section 

222 of the Communications Act and the Commission’s implementing rules.10 

D. The Carriers’ unauthorized disclosure of customers’ location data violates Section 

201(b) of the Communications Act.12 

III. The Carriers’ practices exposed customers to risk of physical harm, disproportionately 

visited upon disadvantaged and marginalized communities.14 

A. Victims of domestic violence and stalking are put at greater risk when perpetrators 

have access to sensitive location data.15 

B. Low-income people and their families are particularly vulnerable to abuse of their 

location data.16 


ii 


















Discussion 


The Center on Privacy & Technology at Georgetown Law, New America’s Open 
Technology Institute, and Free Press (“Complainants”) file this informal complaint against 
Carriers for violations of the Communications Act and the Commission’s mles. This 
complaint is filed pursuant to Section 208 of the Communications Act, in accordance with 
Section 1.716 of the Commission’s rules.^ Complainants urge the Commission to investigate 
allegations that the Carriers disclosed real-time customer location information to third parties 
without customer approval, and to take enforcement action against any statutory or regulatory 
violation. 

Section I details the reported factual circumstances of the carriers’ improper disclosures 
of location information. Section II explains why the Carriers’ disclosure of customers’ location 
information violates the protections for customer proprietary information (“PI”) and 
customer proprietary network information (“CPNI”) in Section 222 of the Communications 
Act and the Commission’s implementing mles, as well as Section 201(b) of the 
Communications Act. Finally, Section III illustrates how the unauthorized disclosure of 
location information is harmful, particularly to disadvantaged and marginalized communities. 

I. The Caffiers have disclosed customer location information to unauthorized third 

parties without customer consent. 

Carriers must collect location data from customer devices for the purposes of providing 
the wireless telecommunications services they offer and ensuring proper functioning of the 
wireless network. Several investigative reports have revealed, however, that AT&T, Verizon, 
T-Mobile, and Sprint disclosed their customers’ device location data for purposes unrelated to 
the provision of those services and did so without first receiving express prior consent for 
such disclosures from those customers as required by law. In these cases, the Carriers have 
disclosed protected cell-site location information (“CSLI”) and highly precise A-GPS data 
(described below) to third-party location aggregators and other unauthorized parties that use it 
for purposes wholly unrelated to the provision of wireless services. These cases include selling 
or otherwise disclosing location information to bounty hunters, stalkers, and debt collectors 
posing as law enforcement officers. 

A. Wifeless providers must collect location information from wireless devices to 
provide service. 

Wireless providers collect location information from customer devices as a necessary and 
unavoidable part of providing wireless services.”* Consumers have no ability to opt-out of this 


^ 47 U.S.C. § 208(a); 47 C.F.R. § 1.716. 

”* E.g., AT&T Privacy PoUcy FAQ, https://about.att.com/sites/privacy pokey/terms#collect 
(“Location information is generated when your device communicates with cell towers, Wi-Fi 
routers or access points and/or with other technologies, including the satellites that comprise 
the Global Positioning System.”) (last visited June 5, 2019). 


1 



collection, which must take place so that wireless carriers are prepared to route calls and 
messages to the correct device at the correct location at any given time.^ 

Wireless devices connect regularly to, and send and receive calls and data through, 
wireless towers. Each wireless tower can house several antennae, which are directional and can 
estimate the distance of a wireless device from the device’s signal strength. Based on those 
characteristics, towers can determine the approximate location of a wireless device, which is 
necessary to transmit to and receive information from that device. CSLI is registered by 
towers when a call or message is received or sent. In addition, in order to ensure that service is 
always operational, cell phones often “ping” nearby towers to register their location.'’ 

Wireless providers may also have access to Global Positioning System (“GPS”) and 
Assisted GPS (“A-GPS”) data, especially for aiding emergency services. GPS data is generally 
highly accurate, but it has some flaws. For instance, identifying the location of a device may 
take a long time initially, and the GPS signal may experience interference from nearby 
buildings. Thus, GPS can be “assisted” with other data to more quickly and accurately 
determine location. Wi-Fi data and the cell-site location data described above both can assist 
GPS to make it more accurate.^ With A-GPS and other location data, wireless providers have 
even more accurate location data on devices. This data is very useful for emergency services, 
but its accuracy also makes it highly valuable to other parties who may want to use it for non¬ 
emergency, and potentially nefarious, purposes. 

B. The Caffiers disclosed vast amounts of location information to third-party 
location aggregators without customer consent or a lawful order. 

Several recent investigative reports have detailed improper sharing of location 
information by the Carriers, who are the four major wireless communications service 
providers (AT&T, T-Mobile, Sprint, and Verizon).* The Carriers shared this information 

* Commissioner Geoffrey Starks, Whj It’s So Easy for a Bounty Hunter to Find You, NY Times 
(Apr. 2, 2019), https://www.nytimes.com/2019/04/02/opinion/fcc-wireless-regulation.html . 

See T-Mobile Privacy Statement, T-Mobile (Mar. 22, 2019), https://www.t- 
mobUe.com/responsibility/privacy/privacy-pokey (last visited June 7, 2019). 

^ See generally Ex Parte of CTIA, Wireless E9-1-1 Location Accuracy Requirements, PS Docket 
No. 07-114 (Jan. 14, 2015), https://ecfsapi.fcc.gov/file/60001013580.pdf . 

* Jennifer Valentino-DeVries, Service Meant to Monitor Inmates’ Calls Could Track You, Too, 
New York Times (May 10, 2018), 

https://www.nytimes.com/2018/05/10/technolog\V ceUphone-tracking-law- 
enforcement.html [“New York Times, May 10, 2018”]; Joseph, Cox, I Gave a Bounty Hunter 
$300. Then HeEocated Our Phone, Motherboard (Jan. 8, 2019), 

https://motherboard.vice.com/en us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars- 
located-phone-microbilt-zumigo-tmobile [“Motherboard, Jan. 8, 2019”]; Joseph Cox, Hundreds 
of Bounty Hunters Had Access to AToMT, TMobile, and Sprint Customer Hocation Data for Years, 
Motherboard (Feb. 6, 2019), https://motherboard.vice.com/en us/article/43z3dn/hundreds- 
bounty-hunters-att-tmobUe-sprint-customer-location-data-years [“Motherboard, Feb. 6, 
2019’J; Joseph, Cox, Stalkers and Debt Collectors Impersonate Cops to Trick Big Telecom Into Giving 


2 



without consent from the customers whose information was shared, and without a lawful 
order compelling disclosure of the information at issue. 

In May 2018, the New York Times reported that the Carriers shared their customers’ 
location information with Securus Technologies (“Secums”), a U.S.-based prison technology 
company that provides location-based services,^ which then shared that information with 
additional third parties without authorization or consent.’® As part of its suite of products for 
law enforcement and corrections agencies, Securus offers the “integrated proprietary software 
solution Location Based Services or LBS,” which enables users to track cellular devices of 
interest.” 

To facilitate LBS, Securus collects location information from major wireless carriers.” 
Some individuals located by LBS—those receiving calls from prisons—are informed via a 
prerecorded message that their location information will be collected, and they cannot receive 
the call until they press “1” to acknowledge this.” But when users of the LBS platform use 
LBS “Real-Time Location Services” to obtain the real-time location information of a phone 
not currendy engaged in a call, Securus does not attempt to obtain consent.” Instead, Secums 
states that users of Real-Time Locadon Services are required to “upload the appropriate 
Search Warrant informadon and accept the associated terms and condidons.”” However, 
Secums reportedly does not condidon provision of locadon informadon to users of its LBS 
product upon receipt, review, and verificadon of any sort of informadon regarding warrants or 
other lawful orders. To the contrary, the company does not “conduct any review of 
surveillance requests,” and as of May 10, 2018, wireless carriers did not receive forwarded 


Them Cell Phone Nocation Data, Motherboard (Mar. 6, 2019), 

https://motherboard.vice.com/en us/ardcle/panvkz/stalkers-debt-coUectors-bounpr- 
hunters-impersonate-cops-phone-locadon-data [“Motherboard, Mar. 6, 2019”]. 

® See generally Secums Technologies, https:/ / securustech.net/ (last visited June 5, 2019). 

” See New York Times, May 10, 2018, supra note 8. 

” Securus, GDP Inmate Telephone Service RFP: Additional Scored Kesponse Document 26, 
https://ssl.doas.state.ga.us/PRSapp/bid-documents/164670046700-GDC0000669198904.pdf 
[Securus Georgia Response Document] : see Secums, Tocation-BasedServices White Paper (Feb. 21, 
2018), available t7/ https://www.efforg/flles/2018/05/03/securus white paper - 
locadon based services lbs copy.pdf . 

” Neema Singh GuUani & Nathan Freed Wessler, Company That Dandles Prison Phone Calls Is 
Surveilling People Who Aren’t in Prison, ACLU (May 11, 2018), 

https://www.aclu.org/blog/privacy-technologyUlocadon-tracking/company-handles-prison- 
phone-calls-surveiUing-people-who . 

’ ® Id. 

” Securus Georgia Response Document, supra note 11, at 29 (“The user then inputs the 
cellular number that is to be tracked and within seconds, the approximate locadon of the cell 
phone will be displayed on a graphical map of the area.”). 

” Id.-, see Guliani & Wessler, supra note 12. 


3 



copies of surveillance requests from Securus that Securus in turn has received from its LBS 
usersd'’ 

Not only does Secums fail to require or obtain proof of lawful orders or customer 
consent as part of its LBS product, but this service has been abused in ways that both Securus 
and the carriers knew about for some time. According to the New York Times, between 2014 
and 2017, Cory Hutcheson, a former sheriff of Mississippi County, Missouri, used Securus’ 
LBS platform to track multiple wireless customers’ location without consent or a court 
order.^^ Hutcheson was arrested in 2017 and was subsequendy convicted on state and federal 
charges.^* 

Then, in January 2019, reporting by Motherboard exposed the Carriers’ sale of location 
information to a host of other individuals and entities not affiliated with law enforcement.^® 
Indeed, Motherboard s reporting suggests that any individual could easily obtain location 
information from third parties, which receive that data directly from the Carriers.^® In one 
example, a Motherboard reporter gave a bounty hunter a T-MobUe cell phone number, and the 
bounty hunter used the number to determine the phone’s location within a couple of blocks.^^ 
The Motherboard investigation found product documentation suggesting that the service used 
by the bounty hunter was able to locate phones using location information made available by 
multiple wireless carriers, including AT&T, T-Mobile, and Sprint.At no time was the owner 
of the located phone notified that the phone was being tracked or asked for consent to be 
tracked.^'® 

Furthermore, the Motherboard reporting detailed how inexpensive it is for third parties to 
purchase location verification and monitoring of wireless customers’ mobile devices without 


New York Times, May 10, 2018, supra note 8. 

^Md. 

Id.; ]im Salter, Missouri sheriff pleads guilty to cellphone tracking charges. Associated Press 
(Nov. 20, 2018), https://www.apnews.com/c0901d36b9fe4edca4fa4c951dd3deaL 

Motherboard, Jan. 8, 2019, supra note 8 (It is assumed that carriers are using cell-site location 
information); Motherboard, Feb. 6, 2019, supra note 8 (“A LocationSmart spokesperson 
told Motherboard in an email ‘Carrier location services available through LocationSmart are 
based on a variety of technologies depending on each carrier’s particular location 
infrastmcture implementation. That could include AGPS, cell tower, cell sector, or cell site 
trilateration. While there is no explicit indicator as to the technology used to provide a specific 
location response from a carrier, each response includes an accuracy estimate that can be used 
to infer the technology used.’”). 

Motherboard, Jan. 8, 2019, supra note 8. 

^Md. 

Id. The middleman who used a commercially available phone location service to locate the 
phone referenced in the Motherboard investigation was unable or unwilling to conduct a search 
for a Verizon device. Id. 

Id. (“[W]hen Motherboard tested the geolocation service, the target phone received no 
warning it was being tracked.”). 


4 



consent.^”* For example, for $12.95 per device, one location aggregator service offers “mobile 
device account and location verification monitoring,” which verifies billing account 
information from carriers and actively monitors the mobile device’s physical location over 
time. The cost falls to $8.42 per device when a purchaser tracks 20,001 or more mobile 
devices.^^ 

C. The Caffiers disclosed location information directly to unauthorized 
individuals without customer consent or a lawful order. 

The Carriers have shared their customers’ location information without customer consent 
or a lawful order not only with third-party location aggregators, but with individuals as well. 
Recent investigative reporting revealed that fraudsters have tricked the Carriers into releasing 
real-time location data by posing as law enforcement officers.The Carriers have handed over 
customer location information to these fraudsters without taking meaningful steps to verify 
their identities. 

The scam typically works in the following way: a person who wants to access the location 
of a cellular device creates an email account that appears to belong to law enforcement. The 
scammer then sends an email to a carrier describing a circumstance in which there is imminent 
threat of physical harm. The scammer includes a request for the immediate release of the 
location of a customer whom the scammer falsely characterizes as a “suspect.” The carrier 
then delivers the location to the scammer as requested.^^ 

One scammer, John Letcher Edens, used the scam many times to gain unauthorized 
access to location information.^* Edens “made up several stories of fictitious kidnappings to 
convince T-Mobile to hand over the location information.”^^ Edens used the email domain 
“gafugitivetaskforcel.net” to bolster his fake identity as a member of law enforcement.** After 
receiving the requested location information, Edens used this information not only to find 
victims, but also to harass and threaten at least one victim.*' 

The conduct of Edens is not an isolated case. Sources indicate that other similar scams 
have elicited location information from Verizon, T-Mobile, and AT&T.** One source 


** Motherboard, Mar. 6, 2019, supra note 8. 

Id. 

^^Id. 

** United States v. John Letcher Edens (N.D. Ga. Feb. 5, 2016) Criminal Action No. 1:15- 
CR158-ELRJFK, available at https://www.documentcloud.org/documents/5760568- 
Government-Response-in-Edens-Phone-Location-Case.html [“U.S. v. Edens”]. 

*“ Id. at 5. 

Id. 

** Motherboard, Feb. 6, 2019, supra note 8. 


5 



suggested that this is an ongoing technique that can be performed on any carrier, by any 
imposter.^^ 

D. The Caffiers reportedly disclosed CSLI as well as other, more highly precise 
location information. 

The Carriers have disclosed multiple types of location information regarding their 
customers. It is not clear, based on reporting and on what the Carriers have made public 
about their practices, what types of location information the Carriers disclosed in all instances. 
But the Carriers reportedly disclosed at least real-time CSLI, as well as highly precise A-GPS 
data, to bounty hunters, data aggregators, and firms that provide location-based services.’'^ 

The Carriers disclosed CSLI to Securus and users of Securus’ LBS platform. As 
discussed above, CSLI derives from wireless network towers.^^ According to TheNew York 
Times^ “In an email, Secums said the service was based on cell tower information, not on 
phone GPS.”’'' 

In addition to CSLI, the Carriers reportedly disclosed more precise location information 
pertaining to their customers, including tower triangulation data as well as A-GPS data. In a 
document describing location aggregator Microbilt’s “Mobile Device Verify” service, the 
company states that the location information it provides will be accompanied by “[ejstimated 
location accuracy given available towers for triangulation.”” 

Motherboard confirmed that at least two location aggregation firms, CerCareOne and 
LocateUrCell, used even more precise A-GPS location tracking services. CerCareOne had 
access to A-GPS information from AT&T, T-Mobile, and Sprint, then provided location 
services to over 250 bail bond companies in secrecy, as customers agreed to “keep the 
existence of CerCareOne.com confidential.”’® CerCareOne operated for five years with Mtde 
public visibility before closing in 2017.” 

Another firm implicated in the use of A-GPS, LocateUrCell, was less secretive. 
Circumstantial evidence, such as a shared IP address with CerCareOne, indicates that 
LocateUrCell might have been affiliated with CerCareOne.''® Although the website is now 


” See discussion supra. Section LA. 

” New York Times, May 10, 2018, supra note 8. 

” Microbilt, Mobile Device Verijy, 

https://www. microbilt.com/Cms Data/Contents/Mi crobilt/Media/Docs/ProductSheets/M 
obile-Device-Verify-2018.pdf: Motherboard, Jan. 8, 2019, supra note 8. 

” Motherboard, Feb. 6, 2019, supra note 8. 

^Id. 


6 



defunct, LocateUrCell worked with AT&T, T-Mobile, and Sprint to use what appeared to be 
A-GPS technology to track cell phones within a few feet of their location/' 

Finally, another firm, Captira, claimed to provide location data to bail bondsmen to 
within an accuracy of two meters for as Htde as $7.50/^ Captira’s service purportedly worked 
on all the major wireless carriers’ networks, including Verizon, AT&T, Sprint, and T-Mobile/^ 

II. The Carriers’ reported disclosure of customers’ location information violates 
Sections 222 and 201(b) of the Communications Act and the Commission’s 
implementing rules. 

By selling or disclosing customers’ location information without customer consent or 
lawful order, the carriers have violated Sections 222 and 201(b) of the Communications Act as 
well as the Commission’s rules implementing those statutes. Location information collected by 
wireless carriers constitutes CPNI under Section 222 and associated mles, and Carriers 
therefore may not disclose it without first obtaining customers’ affirmative consent or 
pursuant to lawful order. Wireless customers’ location information also constitutes PI under 
Section 222(a), and Carriers therefore must protect its confidentiality. Yet the Carriers have 
broadly disclosed their customers’ location information in direct violation of these obligations. 
The Carriers’ widespread and reckless unauthorized disclosure of customers’ location 
information further constitutes an unjust and unreasonable practice in violation of Section 
201(b) of the Communications Act. 

A. Wifeless customers’ location information constitutes CPNI under Section 222 
and the Commission’s rules, and the Carriers therefore may not disclose it 
without obtaining customers’ af fir mative prior consent. 

Location information collected by wireless carriers is CPNI because “location” is 
specifically named in the statutory definition of CPNI, and because carriers collect this 
information for the purpose of providing telecommunications service. Because wireless 
customers’ location information is CPNI, carriers are required by Section 222(c) and the 
Commission’s rules to obtain affirmative consent from customers before using or sharing it 
for purposes other than to provide service. 

Wireless customers’ location information meets the definition of CPNI under Section 
222(h)(1) and the Commission’s implementing rules. Those provisions define CPNI as 
customer information that “relates to the quantity, technical configuration, type, destination. 


Johanna Somers, Cell Phone Tracking Importance Not Tost on Naples Man, Naples Daily News 
(Sept. 11,2011), 

https://web.archive.org/web/20190202233943/http://archive.naplesnews.com/business/cel 
l-phone-tracking-importance-not-lost-on-naples-man-ep-391057527-330865721.html . 
"'^Joseph Cox, Pail Pond Company TetPouny Hunters Track Verigon, TMobile, Sprint, and AT&T 
Phones for $7.50, Motherboard (June 22, 2018), 

https://www. vice.com/en_us/article/9k873e/captira-phone-tracking-verizon-tmobile-sprint- 
s ecurus -locationsmart-bounty-hunter s. 

« Id. 


1 



location, and amount of use of a telecommunications service subscribed to by any customer of 
a telecommunications carrier.Customers are “using” this service merely by subscribing and 
connecting to the network and being capable of receiving calls or messages on a mobile 
handset or other device, and information about where their device is physically located while 
connected to the network therefore is information about the location of their use of the 
service. 

To be considered CPNI, customer information also must be “made available to the 
carrier by the customer solely by virtue of the carrier-customer relationship.”'^^ Wireless 
customers’ location information meets this test as well. Customers provide their location to 
their carriers solely for the purpose of being able to use the wireless services to which they 
have subscribed. As noted above, wireless carriers must stay apprised of connected devices to 
be able to connect calls and deliver messages. Even at times when no such message is being 
transmitted, cell towers are constandy “pinging” devices nearby and noting location to remain 
prepared to connect a call or send a message should one be sent over the network.'^'’ This 
location information is collected solely by virtue of the provision of wireless services because 
it is provided directiy to the wireless provider from the customer’s device and is collected to 
ensure the proper functioning of the service. 

Because wireless customers’ location information is CPNI, wireless service providers may 
not disclose it without obtaining their customers’ express prior consent to do so. Section 222, 
which places the burden of obtaining customers’ consent to use CPNI squarely on 
telecommunications carriers, extends to wireless carriers.'^^ Section 222(c)(1) provides, with 
limited exceptions,'^® that a carrier may only use, disclose, or permit access to customers’ CPNI 
in limited circumstances: (1) as required by law; (2) with customer approval; or (3) in its 
provision of the telecommunications service from which such information is derived, or in 
provision of other services necessary to or used in the underlying provision of such 
telecommunications service.'*® 

The Commission has determined that for most uses of CPNI that are unrelated to the 
provision of service, carriers not only must obtain their customers’ approval, but the requisite 
approval must be affirmative and obtained in advance of the proposed unrelated use. More 


^ 47 U.S.C. § 222(h)(1); 47 C.F.R. § 64.2003(g) (emphasis added). 

47 U.S.C. § 222(h)(1). 

See, e.g., T-Mobile Pricagi Statement, T-Mobile (March 22, 2019), https://www.t- 
mobUe.com/responsibility/privacy/privacy-policy (last visited April 15, 2019). 

See Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of 
Customer Proprietary Network Information and Other Customer Information, Declaratory Ruling, CC 
Docket No. 96-115, 28 FCC Red 9609, 9611, T[ 7 (June 27, 2013), available at 
https://transition.fcc.gov/Daily Releases/Daily Business/2013/db0628/FCC-13-89Al.pdf 

See 47 U.S.C. § 222(c)(1). Customers’ CPNI can also be disclosed to a carrier’s agents or 
affiliates without express prior permission if those agents or affiliates provide 
communications-related services. 47 C.F.R. § 64.2007. 

47 U.S.C. § 222(c)(1). 



specifically. Section 64.2007(b) of the Commission’s rules requires carriers to obtain the opt-in 
approval of their customers before disclosing CPNI.^® Opt-in approval requires “that the 
carrier obtain from the customer affirmative, express consent allowing the requested CPNI 
usage, disclosure, or access after the customer is provided appropriate notification of the 
carrier’s request. . . 

B. Wifeless customers’ location data also constitutes customer propfietary 

information under Section 222(a), and the Carriefs therefore must protect its 
confidentiality. 

Wireless customers’ location information is also proprietary information under Section 
222(a), both because customers expect it to be kept private and because it is personally 
identifiable information. Therefore, in addition to having an obligation to obtain their 
customers’ consent before disclosing location information, carriers have a general “duty to 
protect the confidentiality of’ location information.^^ 

Location information is PI because customers expect their wireless carriers to maintain 
the privacy and confidentiality of this type of information. As the Commission stated in 2014, 
“we should interpret the term ‘proprietary information’ [PI] in the commonly understood 
sense of information that should not be exposed widely to the public, so when applied to 
information about individuals, the term must include personal data that customers expect their 
carriers to keep private. 

There can be no question that customers expect carriers to maintain the privacy and 
confidentiality of location data—especially this highly precise, real-time, on-demand CSLI and 
A-GPS data that the carriers are known to have shared with third parties without their 
customers’ consent. A 2014 survey conducted by Pew Research Center found that 
approximately 82% of Americans consider details of their physical location over time to be 
either “very sensitive” or “somewhat sensitive”—a greater total percentage than for any other 
t^qje of information included in the survey apart from Social Security numbers.^^^ 

Further, location information is PI because it constitutes personally identifiable 
information. The Commission concluded in 2014 that Section 222(a) “broadly encompasses 
such confidential information as privileged information, trade secrets, and personally 
identifiable information (PII). In general, PII is information that can be used on its own or 
with other information to identify, contact, or locate a single person, or to identify an 


47 C.F.R. § 64.2007(b). 

Id. § 64.2003(k). 

47 U.S.C. § 222(a) (imposing a “duty to protect the confidentiality of proprietary 
information of, and relating to . . . customers.”). 

53 YerraCom and YourTel America, Notice of Apparent Liability, 29 FCC Red 13325, 13331, T| 16 
(2014) l^TerraComlYourTelNAId^ 

Mary Madden, Public Perceptions of Privacy and Security in the Post-Snowden Era, Pew 
Research Center (Nov. 12, 2014), https://www.pewinternet.org/2014/11/12/public-privacy- 
perceptions/ . 


9 



individual in context.”^^ Location information—especially precise real-time location—plainly 
can be used “to locate a single person,” and location information collected over time can 
easily be used to identify a single person. For example, in 2013, four researchers found that 
they were able to uniquely identify 95% of individuals in a dataset of location points using 
only four data points for each person.^'’ 

Because location information is PI under Section 222(a), carriers have a duty to protect its 
confidentiality. 

C. The Caffiers’ unauthorized disclosure of customers’ location data violates 

Section 222 of the Communications Act and the Commission’s implementing 
rules. 

By failing to meet the requirements attaching to CPNI and PI, the Carriers have violated 
Section 222 of the Communications Act and the Commission’s CPNI mles.^^ The Carriers 
have violated Section 222(c) by failing to obtain affirmative prior consent from their 
customers (or other lawful order) before disclosing location information to third parties. In 
addition, the Carriers have violated Section 222(a) by failing to protect the confidentiality of 
their customers’ location information. 

The Carriers have violated Section 222(c) and the Commission’s implementing 
regulations. As detailed above, the Carriers are required to obtain affirmative prior consent or 
a lawful court order before disclosing their customers’ location information, which is a type of 
CPNI. Yet the Carriers have failed to comply with those requirements. 

In responses to letters from Senator Ron Wyden, the Carriers admitted they relied on 
location aggregators or the aggregators’ customers to obtain consent from tracked customers 
in many circumstances, and often did not seek to obtain customer consent themselves.^® But 

55 'YerraComlYourTel NAL, T117. 

Yves-Alexandre de Montjoye, Cesar A. Hidalgo, Michel Verleysen & Vincent D. Blondel, 
Unique in the Crowd: The Privag Pounds of Human Mobility, Scientific Reports, Mar. 25, 2013, 
https://www.nature.com/articles/srepO 1376 . The dataset used by the researchers contained 
location information collected from individuals in an unspecified western country from 2006— 
2007. In the dataset, the location of individuals was specified hourly, and with a spatial 
resolution equal to that given by the carrier’s antennas, i.e. equal to that of cell-site location 
information. 

See 47 U.S.C. § 222; 47 C.F.R. § 64.2007(b). 

Letter from Anthony Russo, T-MobUe to Sen. Ron Wyden at 3 (Feb. 15, 2019) 

(“[LJocation aggregators were required to ensure verifiable informed customer consent was 
obtained . . .” (emphasis added)), available at 

https://www.documentcloud.org/documents/5767086-T-Mobile-Response-to-Wyden-on- 
Phone-Location.html ; Letter from Tim McKone, AT&T to Sen. Wyden at 1 (Feb. 15, 2019) 
(“[T]he aggregator or service provider must. . . obtain the customer’s consent to [the use 
of location information]” (emphasis added)), available at 

https://www.documentcloud.org/documents/5767087-AT-T-Response-to-Wyden-on- 
Phone-Location-Data.html; Letter from Karen Zacharia, Verizon to Sen. Wyden at 2 (Feb. 15, 


10 



location aggregators and other downstream users apparently did not seek consent or structure 
their services in a way that made seeking consent even possible, and it is not clear that the 
Carriers consistendy undertook meaningful efforts to verify that consent had been obtained. 
For instance, Verizon claims that Secums Technologies misrepresented that it had obtained 
consent from Verizon’s customers, and Verizon admits that its own audit process did not 
reveal this fact.'’® Given that an LBS provider was able to conceal a feature that plainly did not 
contemplate customer consent, the Carriers’ auditing procedures appear to have been 
insufficient to reliably ensure customer consent has been obtained by aggregators and other 
downstream users. 

The Carriers have also violated Section 222(a). As explained above, location information 
is PI, and the Carriers therefore are required to respect and protect its privacy and 
confidentiality. The Carriers have failed to uphold this obligation. The unauthorized disclosure 
of customers’ location information not only violates expectations and basic privacy principles, 
but also exposes customers to additional harm. 

The Commission noted the relevance of potential for substantial injury in its 2014 case 
against TerraCom and YourTel.®^ In that case, two carriers needlessly exposed the Social 
Security numbers and other financial information of customers and potential customers, 
“invit[ing] identity theft and other serious consumer harms. 

Here, the Carriers’ behavior has invited physical and predatory harms.®® Carriers have 
exposed customers’ location information to a number of parties—the vast majority of whom 
cannot be identified and perhaps will never be known—including stalkers, bounty hunters, 
and at least one rogue law enforcement official. 


2019) (“Verizon authorized . . . location aggregators to facilitate access to Verizon subscriber 
location information . . . after the corporate customer had obtained the af fir mative opt-in 
consent of the wireless subscriber.” (emphasis added)), 

https://www.documentcloud.org/documents/5767089-Verizon-Response-to-Wyden-on- 
Phone-Location-Data.html#search/pi /verizon : Letter from Maureen Cooney, Sprint to Sen. 
Wyden at 3 (Feb. 15, 2019) (“Aggregators and developers must clearly and completely 
document the presentation of. . . consent.” (emphasis added)), 

https://www.documentcloud.org/ documents/5767088-Sprint-Response-to-Wyden-on- 
Phone-Location-Data.html. 

Motherboard, Jan. 8, 2019 supra note 8. (“[W]hen Motherboard tested the geolocation 
service, the target phone received no warning it was being tracked.”). 

®® Verizon Letter, supra note 58 at 4. 

TerraCom I YourTel NAL, 30. 

Id. (“By not employing appropriate security measures, TerraCom and YourTel exposed their 
customers to potentially substantial injury. The exposed PI—in particular, financial 
information and Social Security numbers—invites identify theft and other serious consumer 
harms.”). 

®® See discussion infra at Part III. 


11 



D. The Caffiers’ unauthorized disclosure of customers’ location data violates 
Section 201(b) of the Communications Act 

The Carriers’ sharing of customers’ location information also violates Section 201(b) of 
the Communications Act, which states that “[a]ll charges, practices, classifications, and 
regulations for and in connection with [telecommunications] service, shall be just and 
reasonable, and any such charge, practice, classification, or regulation that is unjust or 
unreasonable is declared to be unlawful.”'’'* The Carriers have violated Section 201 (b) by failing 
to employ even the most basic consent mechanisms, creating an unreasonable risk of 
unauthorized access, and violating their own privacy policies. 

In the case against TerraCom and YourTel, the Commission found that two carriers’ 
insufficient data security practices were unjust and unreasonable because the carriers “failed to 
employ even the most basic and readily available technologies and security features for 
protecting consumers’ Here, the Carriers have failed to employ even the most basic 
consent mechanisms to protect their customers’ CPNI and PI. Instead, the Carriers recklessly 
facilitated aggregators’ widespread access to their customers’ highly detailed and real-time 
location information without consent, permitted aggregators to share that information with 
additional third parties downstream without consent, and apparendy did not pracdce any 
meaningful or effective oversight or monitoring to see whether aggregators themselves ever 
obtained customers’ consent. 

The Commission has also found violations of Section 201(b) where carriers’ data security 
pracdces “created an unreasonable risk of unauthorized access.”'*'^ Here, the Carriers’ roudnely 
careless behavior facilitated widespread unauthorized access to customers’ location 
informadon. 

Finally, the Carriers have violated Section 201(b) because they have either violated their 
own privacy policies or omitted critical informadon from the policies. The Commission has 
found violations of 201(b) where “representations in [carriers’] privacy policies were false, 
deceptive, and misleading.”'’^ Here, the Carriers did not disclose in their privacy policies that 
they sold real-time locadon data to third parties, including third parries of which customers 
were unaware and thus unable to provide consent. 

AT&T. AT&T’s privacy policy states that it “do[es] not sell, trade or share your CPNI 
with anyone outside of the AT&T family of companies or our authorized agents, unless 
required by law (example: a court order).”'’® It further states that it “do[es] use your CPNI 
internally, however. We may share information about our customers among the AT&T 


47 U.S.C. § 201(b). 

65 'YgffaComI YourTel NAL, 32. 

‘’® Id., T| 33-34 (The Commission further noted that as a result of the two carriers’ practices, a 
third party accessed and downloaded over 100,000 proprietary records.). 

Id., T| 38 (TerraCom and YourTel had represented that they employed reasonable security 
measures to protect customers’ private informadon, when in fact they did not). 

‘’® AT&T, Your Rights and Choices, Network Information (CPNI), 

https: / /about.att.com/sites /privacy pokey/rights choices#cpni (last visited June 7, 2019). 


12 



companies and our agents in order to offer you new or enhanced services. For example, we 
might offer a discount or promotion for Internet or TV services based on your CPNI.”® In 
another part of its privacy policy dealing specifically with location data, AT&T does suggest 
broadly that it collects and uses location data in “all kinds of ways,” and lists as examples 
(1) providing and improving its wireless service, (2) enabling location-based services installed 
on the device, (3) enabling location-based services from third parties, and (4) advertising.^® 
AT&T also notes that it may share location data without consent to, among other things, 
“[njotify, respond or provide information (including location information) to a responsible 
governmental entity in emergency or exigent circumstances or in situations involving 
immediate danger of death or serious physical injury.”^^ 

Nowhere in AT&T’s privacy policy is there any specific reference to the sale of CPNI, 
including location data, to the types of entities to which AT&T reportedly sold real-time 
location data. Moreover, AT&T’s purported consent for “enabling location-based services 
from third parties” is insufficient to cover the sale of real-time location data to bounty hunters 
and essentially any willing purchaser, especially when the AT&T customer has no awareness 
of or relationship with that third party. The intrusiveness of such privacy violations requires 
much more detailed disclosures and cannot be left to such euphemistic language. Importantly, 
AT&T itself conceded that these uses of real-time location data violate its policies. Indeed, 
“AT&T . . . told Motherboard the use of its customers’ data by bounty hunters goes explicitly 
against the company’s policies. 

Sprint. Sprint’s sparse privacy policy states that it shares personal data (including location 
data) with, for instance, affiliates, third-party service providers, reward programs, and 
emergency services.^^ Sprint also may share data for the “[pjrotection of Sprint and others,” 
including responding to emergencies. However, Sprint’s privacy policy does not expressly 
mention the sale of location data to the relevant categories of third parties at issue here. 

T-Mobile. T-Mobile’s policy statements similarly do not expressly cover the sale of 
location data to the relevant categories of third parties. T-Mobile’s CPNI policy states that “T- 
Mobile is committed to protecting the privacy and security of our customers’ personal 
information and, as set forth in our Privacy Statement, we strive to be a leader in protecting all 
such personal information,” and acknowledges that “federal law has long-required 


Id. 

AT&T, Vrivag Polig FA^, (Questions About Focation Information), 
https: / /about.att.com/sites /privacy pokey/terms#location (last visited June 7, 2019). 
AT&T, About Our Primal Polig, 

https://about.att.com/sites/privacy policy/full privacy policy (last visited June 7, 2019). 
Motherboard, Jan. 8, 2019, supra note 8. 

Sprint, Sprint Corporation Priragi Policy (April 24, 2019), INFORMATION WE SHARE, 
https://www. sprint, com/en/legal/sprint-corporation-privacy- 
poIicy?ECID=vanity:privacypolicy#infoshare (last visited June 7, 2019). 


13 



telecommunications carriers to protect CPNI.”^”* Regarding location-based services, T-Mobile 
simply states that it “may provide LBS services. Where we do so, we will request your 
permission before we access precise location data to support the service.”^^ 

Like the other Carriers, T-Mobile does not explicitly identify the location aggregators 
identified by the investigative reports. And if T-Mobile adheres to its own privacy policy, the 
company should have required these third parties to comply with privacy and security 
protections consistent with that policy. It appears, however, that the third parties and 
subsequent parties obtaining this kind of data from T-Mobile and the other Carriers were not 
subject to any such obligations, likely because T-Mobile did not know about these practices 
and did not exercise proper care to investigate or prevent such practices. 

Verizon. Verizon was implicated only in the New York Times reporting about the sale of 
data to Secums, and not Motherboard’s reporting about the broader sale of location 
information. However, Verizon states that “Location information may ... be used for 
emergency purposes (such as E911) and with your consent at other times.Thus, like the 
other carriers, Verizon too did not provide notice of its location sharing practices. 

III. The Caffiers’ practices exposed customers to risk of physical harm, 

disproportionately visited upon disadvantaged and marginalized communities. 

Continuing to allow access to real-time location data of cell phones is a safety concern 
that the Commission must take seriously. The Commission has a duty to “promot[e] safety of 
life and property through the use of wire and radio communications.”^^ The sharing of real¬ 
time location data of potentially all wireless customers served by the Carriers raises significant 
concerns about public safety. Some bounty hunters allegedly use the data to track individuals 
they know personally.^* Stalkers, harassers, and other people meaning to do harm to others 
often turn to tracking wireless devices where they can.^^ The Commission should not condone 
this behavior, and must stamp it out where it can. 

To make matters worse, abuses of location data have real-Ufe consequences that not only 
directly affect the Carriers’ paying customers, but are likely to have a disproportionately 


T-Mobile, About T-Mobile, More Information: CPNI, https://www.t- 
mobile.com/responsibilipVprivacy/resources/cpni (last visited June 7, 2019). 

T-Mobile, T-Mobile Privacy Statement (Mar. 22, 2019), HOW WE USE INFORMATION WE 
COT JECTABOUT YOU, https://www.t-mobUe.com/responsibilipVprivacy/privacy- 
policy#howuseinfo . 

Verizon, Full Privay Poliy, https: / /www.verizon.com/about/privacy/full-privacy-policy 
(last visited June 7, 2019). 

"" 47 U.S.C. § 151. 

Motherboard, Jan. 8, 2019, supra note 8. 

See, e.g., Kristin Houser, Stalkers Are Pretending to be Cops to Steal Your Phone’s Eocation (Mar. 8, 
2019), https://futurism.com/stalkers-location-data-telcos-cops/ . 


14 



negative effect on people in disadvantaged and marginalized communities.*® These potentially 
include victims of domestic violence and low-income people and their families. 

A. Victims of domestic violence and stalking are put at greater risk when 
perpetrators have access to sensitive location data. 

Victims of domestic violence and abuse are particularly vulnerable with respect to the 
sharing of location data. In domestic abuse situations, abusers will engage in systematic and 
repeated surveillance of victims as a means of asserting control over them.*^ An abuser with 
access to their victim’s location information is able to engage in this sort of undesired 
surveillance with far more ease than without it. 

Stalking victims, specifically, are especially at risk because location tracking technology 
enables perpetrators to follow and harm their targets more easily. Stalkers tend to use the 
internet as an “easy, low-cost method of communicating with [their] victims.”*^ Similarly to 
bounty hunters, according to Motherboard s reporting, a stalker given easy access to their 
victim’s location information could amplify their harassment both online and in the real- 
world.** 

An article originally published in Domestic Violence Report warns victims of stalking or 
abuse about the dangers of sharing location information: 

Sharing one’s location can be quite dangerous, however, when 
a stalker or abuser uses this information to stalk, harass, and 
threaten. For victims of domestic violence, assault or stalking, 
knowing how much information may be inadvertently shared 
about them is key to planning for privacy and safety. For 
service providers, there is often a concern that abusers may be 
able to track victims to the shelter or program. Some programs 
have questioned if the solution is to ban cell phones in shelter. 

In reality, however, this response will not eliminate the feared 
risk. Additionally, it is not feasible for survivors to give up their 
cell phones, which for many is a life line to safety, help, and 
support. The better solution is to understand how location gets 
shared, minimize the amount of information that is being 


*® Cf. Scott Skinner-Thompson, Privag’s Double Standards, 93 Wash. L. Rev. 2051 (2018) 
(discussing disparate impacts in the context of tort law), available at 
https://papers.ssrn.com/sol3/papers.cfmPabstract id=3134500 . 

*' E.g., Ryan Calo, Boundaries ofPrivag Harm, 86 Ind. L. J. 1, 15 (2011) (internal citations 
omitted), available at https:/ /papers.ssrn.com/sol3/papers.cfmPabstract id=1641487 . 

** Joseph C. Merschman, The Dark Side of the Web: Cjberstalking and the Need for Contemporag 
Eegislation, 24 Harv. Women’s L.J. 255, 215-16 (2001), available at 

https://heinonline.org/HOL/Page?collection=iournals&handle=hein.iournals/hwli24&id=2 
82&men tab=srchresults . 

** See Motherboard, Feb. 6, 2019, supra note 8. 


15 



shared, and help survivors take back control by creating 
thorough safety planning and changing privacy settings.*"* 

When location information is shared without consent, the opportunity for abusers to 
leverage this information for menacing purposes becomes even more acute. Without control 
over their information, victims of domestic abuse may experience physical harm and perpetual 
fear. 

Victims of domestic violence have been harmed by sharing of location data. For instance, 
as mentioned above, John Letcher Edens was convicted of aggravated stalking and harassing 
phone calls after violating a temporary protective order to contact his ex-wife for the purpose 
of harassing and intimidating her. ** Edens’ “victimization of others extended beyond 
fraudulendy obtaining individuals private location information and using that information to 
find those individuals.”** Edens called another victim three or four times a day, “came to [her] 
home [at] all hours of the night[,] and showed up at [her] place of employment.”*^ 

B. Low-income people and their families are particularly vulnerable to abuse of 
their location data. 

Low-income people, particularly those in the penal system and their families, are 
particularly vulnerable to abuses of location sharing and surveillance more generally.** 
“[S]urveillance of the poor is broader, more invasive, and more difficult to redress than 
surveillance of other groups.”*** It is reasonable to believe that the sharing of location 
information would likewise have a disproportionate effect. 

Additionally, correctional officers have the capability to track the location of an inmate’s 
friends and family.*** Family and friends who decide to communicate with inmates in an effort 

** Kaofeng Lee & Erica Olsen, Cell Phone location, Privag and Intimate Partner Violence, 18 
Domestic Violence Report 6 (Aug./Sept. 2013), https://www.acesdv.org/wp- 
content/uploads72014/06/NNEDV CellPhoneLocationPrivacy DVRarticle 2013.pdf . 

** See discussion supra. Part I.C; Motherboard, Mar. 6, 2019, supra note 8; U.S. v. Edens, supra 
note 29. 

** U.S. V. Edens, supra note 29 at 5. 

Id. 

** See Mary Madden, et al, Privacy, Poverty, and Big Data: A Matrix of Vulnerabilities for Poor 
Americans, 95 Wash. L. Rev. 53, 58-60 (2017), available at 

https://heinonline.org/HOL/Page?collection=iournals&handle=hein.iournals/walq95&id=6 
O&men tab=srchresults . A study by the Prison Policy Initiative shows that in 2014, 
incarcerated people had a median annual income of $19,185 prior to their incarceration, which 
is 41% less than non-incarcerated people of similar ages. Bernadette Rabuy & Daniel Kopf, 
Prisons of Poverty: Uncovering the pre-incarceration incomes of the imprisoned. Prison Policy Initiative 
(July 9, 2015), https://www.prisonpolicy.org/reports/income.html. 

*** Madden, supra note 88 at 63. 

*** See Securus Georgia Response Document, supra note 11, at 26 (LBS will “[p]rovide the 
called party’s true location at the time of an inmate’s call via a link in the call detail record 
(CDR).”). 


16 



to expedite their rehabilitation will be subject to monitoring by law enforcement. It is crucial 
that these family and friends are afforded the protection of the law. Preventing the unlawful 
abuse of location information is cmcial to protecting the rights of those marginalized in 
society because of their economic disadvantage. To compound this concern, low-income 
individuals often lack the necessary resources to assert their rights.®’ 

* * * 

For the foregoing reasons, we respectfully request that the Commission investigate the 
improper disclosure by the Carriers of customer location information to unauthorized third 
parties, enjoin the practice, fine the Carriers as appropriate, and seek any further relief as is 
just and proper. 


Leonard WiUs, Access to Justice: Mitigating the Justice Gap, American Bar Association (2017), 
https: / /www.americanbar.org/groups /litigation/committees /minority-trial- 
lawyer/ practice/2017/access-to-justice-mitigating-justice-gap/ (“A recent study shows that 
approximately 80 percent of low-income individuals cannot afford legal assistance. The middle 
class struggles, too: a study shows that ‘forty to sixty percent of their legal needs go unmet.’”). 


17 



